Re: [Patch net-next] netfilter: remove xt_NOTRACK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 04, 2012 at 05:57:28AM +0200, Jan Engelhardt wrote:
> 
> On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote:
> 
> >+<----->if (cs->target->alias == NULL)^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M
> >+<----->else^M
> >+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M
> >
> >I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto)
> >
> >doesn't this all really belong in the CT files now?
> >ie. libxt_CT.c not libxt_NOTRACK.c
> 
> I think so too.
> Furthermore, I have refined Pablo's patch.
> 
> 0. vcurrent was not updated, now done.
> 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0
>    (function "compatible_revision"), now addressed.
> 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.
> 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by
>    providing a symlink.
> 
> Not solved:
> 4. Since NOTRACK now always maps to CT, "-j NOTRACK"
>    has become unusable on sufficiently old kernels.
>    Should we even bother?
> 
> [ Agglomeration of two patches in git://git.inai.de/iptables master ]
> diff --git a/configure.ac b/configure.ac
> index 861f5b3..a45d9ab 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -2,8 +2,8 @@
>  AC_INIT([iptables], [1.4.15])
>  
>  # See libtool.info "Libtool's versioning system"
> -libxtables_vcurrent=8
> -libxtables_vage=1
> +libxtables_vcurrent=9
> +libxtables_vage=0
>  
>  AC_CONFIG_AUX_DIR([build-aux])
>  AC_CONFIG_HEADERS([config.h])
> diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
> index 218dc3a..92ac63d 100644
> --- a/extensions/GNUmakefile.in
> +++ b/extensions/GNUmakefile.in
> @@ -39,6 +39,7 @@ endif
>  #	Wildcard module list
>  #
>  pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c)))
> +pfx_build_mod += NOTRACK
>  @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c)))
>  @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c)))
>  pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
> @@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c
>  xt_RATEEST_LIBADD   = -lm
>  xt_statistic_LIBADD = -lm
>  
> +libxt_NOTRACK.so: libxt_CT.so
> +	ln -s $< $@
>  
>  #
>  #	Static bits
> diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
> index 27a20e2..8012a59 100644
> --- a/extensions/libxt_CT.c
> +++ b/extensions/libxt_CT.c
> @@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target)
>  		printf(" --zone %u", info->zone);
>  }
>  
> +static void notrack_tg_init(struct xt_entry_target *target)
> +{
> +	struct xt_ct_target_info_v1 *info = (void *)target->data;
> +
> +	info->flags |= XT_CT_NOTRACK;
> +}
> +
>  static struct xtables_target ct_target_reg[] = {
>  	{
>  		.family		= NFPROTO_UNSPEC,
> @@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = {
>  		.x6_parse	= ct_parse_v1,
>  		.x6_options	= ct_opts_v1,
>  	},
> +	{
> +		.family		= NFPROTO_UNSPEC,
> +		.name		= "NOTRACK",
> +		.revision	= 0,
> +		.real_name	= "CT",
> +		.real_rev	= 1,
> +		.version	= XTABLES_VERSION,
> +		.size		= XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
> +		.userspacesize	= offsetof(struct xt_ct_target_info_v1, ct),
> +		.print		= ct_print_v1,
> +		.save		= ct_save_v1,
> +		.init		= notrack_tg_init,
> +	},

We also need to add support for real_rev 0 of the CT target. Just to
make sure that we don't break with old kernels.

I've pulled this and pushed out to the notrack-removal branch of
iptables. The idea would be to fix this issue above and to merge that
that couple of patches once 3.7-rc1 is released.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux